nullnet-libfireparse 0.3.4

A library for parsing and translating firewall configurations across multiple NullNet targets
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104

use crate::{Rule, opnsense::enpoint_parser::EndpointParser};
use roxmltree::{Document, Node};

pub struct OpnSenseRulesParser {}

impl OpnSenseRulesParser {
    pub fn parse(document: &Document) -> Vec<Rule> {
        let mut rules = vec![];

        if let Some(filter) = document
            .descendants()
            .find(|e| e.has_tag_name("opnsense"))
            .and_then(|e| e.children().find(|ce| ce.has_tag_name("filter")))
        {
            rules.append(&mut OpnSenseRulesParser::parse_rules(filter, "filter"));
        }

        if let Some(nat) = document
            .descendants()
            .find(|e| e.has_tag_name("opnsense"))
            .and_then(|e| e.children().find(|ce| ce.has_tag_name("nat")))
        {
            rules.append(&mut OpnSenseRulesParser::parse_rules(nat, "nat"));
        }

        rules
    }

    fn parse_rules(node: Node<'_, '_>, rule_type: &str) -> Vec<Rule> {
        let mut rules = Vec::new();

        for (index, rule) in (0_u64..).zip(node.children().filter(|e| e.has_tag_name("rule"))) {
            let disabled = rule.children().any(|e| e.has_tag_name("disabled"));

            let policy = rule
                .children()
                .find(|e| e.has_tag_name("type"))
                .and_then(|e| e.text())
                .unwrap_or("pass")
                .to_string();

            let ipprotocol = rule
                .children()
                .find(|e| e.has_tag_name("ipprotocol"))
                .and_then(|e| e.text())
                .unwrap_or("*");

            let protocol = rule
                .children()
                .find(|e| e.has_tag_name("protocol"))
                .and_then(|e| e.text())
                .unwrap_or("any");

            let description = rule
                .children()
                .find(|e| e.has_tag_name("descr"))
                .and_then(|e| e.text())
                .unwrap_or("")
                .to_string();

            let interface = rule
                .children()
                .find(|e| e.has_tag_name("interface"))
                .and_then(|e| e.text())
                .unwrap_or("none")
                .to_string();

            let (source_addr, source_port, source_type, source_inversed) =
                EndpointParser::parse(rule.children().find(|e| e.has_tag_name("source")));

            let (destination_addr, destination_port, destination_type, destination_inversed) =
                EndpointParser::parse(rule.children().find(|e| e.has_tag_name("destination")));

            rules.push(Rule {
                disabled,
                r#type: rule_type.to_string(),
                protocol: format!("{}/{}", Self::map_ipprotocol(ipprotocol), protocol),
                policy,
                description,
                source_port,
                source_addr,
                source_type,
                source_inversed,
                destination_addr,
                destination_port,
                destination_type,
                destination_inversed,
                interface,
                order: index,
            });
        }

        rules
    }

    #[inline]
    fn map_ipprotocol(ipprotocol: &str) -> &str {
        match ipprotocol {
            "inet" => "IPv4",
            "inet6" => "IPv6",
            _ => "none",
        }
    }
}